EP3800570B1 - Methods and systems for genetic malware analysis and classification using code reuse patterns - Google Patents
Methods and systems for genetic malware analysis and classification using code reuse patterns Download PDFInfo
- Publication number
- EP3800570B1 EP3800570B1 EP20199874.7A EP20199874A EP3800570B1 EP 3800570 B1 EP3800570 B1 EP 3800570B1 EP 20199874 A EP20199874 A EP 20199874A EP 3800570 B1 EP3800570 B1 EP 3800570B1
- Authority
- EP
- European Patent Office
- Prior art keywords
- code
- target
- genes
- individually
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims description 46
- 230000002068 genetic effect Effects 0.000 title claims description 14
- 108090000623 proteins and genes Proteins 0.000 claims description 112
- 239000012634 fragment Substances 0.000 claims description 57
- 230000006870 function Effects 0.000 claims description 17
- 230000008569 process Effects 0.000 description 14
- 238000010606 normalization Methods 0.000 description 12
- 238000013459 approach Methods 0.000 description 5
- 238000000605 extraction Methods 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000008450 motivation Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000011524 similarity measure Methods 0.000 description 2
- 244000035744 Hura crepitans Species 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000036039 immunity Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000012086 standard solution Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000008685 targeting Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/30—Arrangements for executing machine instructions, e.g. instruction decode
- G06F9/30003—Arrangements for executing specific machine instructions
- G06F9/30007—Arrangements for executing specific machine instructions to perform operations on data operands
- G06F9/3001—Arithmetic instructions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/30—Arrangements for executing machine instructions, e.g. instruction decode
- G06F9/30003—Arrangements for executing specific machine instructions
- G06F9/30007—Arrangements for executing specific machine instructions to perform operations on data operands
- G06F9/30032—Movement instructions, e.g. MOVE, SHIFT, ROTATE, SHUFFLE
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/30—Arrangements for executing machine instructions, e.g. instruction decode
- G06F9/30003—Arrangements for executing specific machine instructions
- G06F9/30076—Arrangements for executing specific machine instructions to perform miscellaneous control operations, e.g. NOP
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Definitions
- the present invention relates to methods and systems for genetic malware analysis and classification using code reuse patterns.
- Terminating a process and deleting a file offers zero guarantees and solves no problems in the long term, unfortunately.
- Standard solutions such as signature based (AV) and behavioral analysis tools (sandboxes, EDR) can be circumvented by threat actors reusing code and assets.
- AV signature based
- EDR behavioral analysis tools
- US Patent Publication No. 2014/0068768 recites an apparatus for identifying related code variants may include processing circuitry configured to execute instructions for receiving query binary code, processing the query binary code to generate one or more query code fingerprints comprising compressed representations of respective functional components of the query binary code, comparing the one or more query code fingerprints to at least some reference code fingerprints stored in a database to determine a similarity measure between the one or more query code fingerprints and at least some of the reference code fingerprints, and preparing at least one report based on the similarity measure.
- US Patent Publication No. 2015/0186649 recites systems and methods for generating and applying identification codes or "fingerprints" with respect to software functions contained in executable files. Utilizing such fingerprinting procedures, the function identification codes for known malicious files and/or known benign can be stored in the database. Subsequently, received files can be processed in the same manner and the function identification codes generated for the received files can be compared against the function identification codes for the known malicious files and/or known benign files in the database to determine a level of similarity between the functions of received executable files and those of known categorized executable files in the database.
- US Patent Publication No. 2017/0344352 recites that in a dynamic computing environment, it is a nontrivial task to verify code running in the environment because most approaches to software similarity require extensive and time-consuming analysis of a binary, or the approaches fail to recognize executables that are similar but nonidentical.
- a biosequence-based method for quantifying similarity of executable binaries is used to identify allowed codes in a real-world multi-user environment.
- US Patent Publication No. 2009/0313700 recites a system and method for generating malware definitions for use in managing malware on a computer, including receipt of a binary file running in system memory; taking a memory dump of the binary file at a time slice and storing the memory dump in a memory dump file; applying a normalization process to the memory dump file, wherein the normalization process alters a collection of data from the memory dump file, resulting in a normalized file; applying a comparison process between the normalized file and each of a plurality of normalized files stored in a database of malware definitions wherein the comparison process produces a comparison value associated with each of the normalized files in the database of malware definitions; and inserting the normalized file into the database of malware definitions, when each of the comparison values satisfies a predetermined criterion.
- US Patent Publication No. 2007/0240217 recites a system and method for detecting malware by modeling the behavior of malware and comparing a suspect executable with the model.
- Feature elements are extracted from malware-infected applications, groups the feature elements into feature sets, and develops rules describing a malicious probability relationship between the feature elements.
- exemplary is used herein to refer to examples of embodiments and/or implementations, and is not meant to necessarily convey a more-desirable use-case.
- alternative and “alternatively” are used herein to refer to an example out of an assortment of contemplated embodiments and/or implementations, and is not meant to necessarily convey a more-desirable use-case. Therefore, it is understood from the above that “exemplary” and “alternative” may be applied herein to multiple embodiments and/or implementations. Various combinations of such alternative and/or exemplary embodiments are also contemplated herein.
- Embodiments of the present invention utilize genetic malware analysis which is based on the evolutionary principle that all software, whether legitimate or malicious, is comprised of previously written code. Malware authors leverage code reuse when employing new campaigns. For defenders, this provides critical information for detection, classification, level of sophistication and threat actor capabilities.
- Embodiments of the present invention exploit such aspects by generating a complete mapping of a suspicious file including information about which pieces of code have been seen only in a specific malware family, only in trusted software, or in both malicious and trusted software.
- metadata such as who is the vendor who wrote the code, and which versions does the code appear in provide useful information and context regarding the granular assembly-code pieces.
- knowing that a piece of code hasn't been seen before can also indicate the following. If a suspicious file includes a lot of unique code, it might be a sign of a new malware variant, and that might be used as a strong indicator for detecting sophisticated threats. In such cases, the organization's SOC (Security Operation Center) or IR (Incident Response) team knows to place their focus and resources on these pieces of code, in order to determine their meaning.
- SOC Security Operation Center
- IR Incident Response
- Embodiments of the present invention enable security teams to reduce the number of files that need to be manually analyzed, enabling them to focus on the harmful, malicious files, prioritizing actual threats over false positives.
- the ability to index specific malware targeting the organization into the genome database means security professionals can not only ensure immunity for a single incident, but immune the organization against an adversary entirely.
- tracking code reuse in malware forces the attacker to rewrite their tools and assets, making it much harder to conduct cyber-attacks.
- Embodiments of the present invention enable trusted code to be indexed as well. For example, if proprietary software has code that was never seen before in the genome database, the code can be indexed as trusted. Such code would be visible only to the software's owner.
- Implementations of the present invention dissect any given executable file (e.g., from disk or memory) into tiny pieces of binary code, referred to as genes, and compare the file's genes to a code genome database containing billions of genes from trusted and malicious software.
- executable file e.g., from disk or memory
- genes tiny pieces of binary code
- a method for genetic malware analysis and classification using code reuse patterns including the steps of: (a) upon receiving a target binary file, disassembling the target binary file into assembly code; (b) extracting individually-identifiable code fragments from the assembly code; (c) normalizing the individually-identifiable code fragments into target genes by: (i) grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment; and (ii) grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction; (d) collating the target genes into a code genome database; and (e) detecting all files and/or code families in the code genome database containing the target genes from the target binary file, wherein the step of detecting includes prioritizing that false-positive matches between the files and/or
- the step of normalizing includes upon detecting a NOP instruction, corresponding to a command for no operation to be performed, removing the NOP instruction from the target genes.
- the step of normalizing includes upon detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, normalizing the MOV instruction to a PUSH instruction in the target genes.
- the MOV instruction is normalized to the PUSH regardless of whether the MOV instruction and the CALL instruction are consecutive instructions.
- the step of normalizing includes upon detecting a SUB instruction, corresponding to a command for a subtraction operation to be performed, normalizing the SUB instruction to an ADD instruction, corresponding to a command for an addition operation to be performed, in the target genes.
- the method further includes the step of: (f) determining an accurate designation of the target binary file based on the target genes.
- the accurate designation of the target binary file is: (i) malicious based on shared genes in the target genes and the code genome database only found in malicious files; or (ii) benign based on shared genes in the target genes and the code genome database only found in trusted files.
- the step of determining includes determining the target binary file is associated with at least one malware file family based on families of files that the target binary file shares shared genes with.
- the step of normalizing includes normalizing multiple code instructions into a single code instruction.
- a system for genetic malware analysis and classification using code reuse patterns including: (a) a CPU for performing computational operations; (b) a memory module for storing data; and (c) a disassembly module configured for, upon receiving a target binary file, disassembling the target binary file into assembly code; (d) an extracting module configured for extracting individually-identifiable code fragments from the assembly code; (e) a normalizing module configured for normalizing the individually-identifiable code fragments into target genes by: (i) grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment; and (ii) grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction; (f) a collating module configured for collating the target genes into a code genome database;
- the normalizing includes upon detecting a NOP instruction, corresponding to a command for no operation to be performed, removing the NOP instruction from the target genes.
- the normalizing includes upon detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, normalizing the MOV instruction to a PUSH instruction in the target genes.
- the MOV instruction is normalized to the PUSH regardless of whether the MOV instruction and the CALL instruction are consecutive instructions.
- the normalizing includes upon detecting a SUB instruction, corresponding to a command for a subtraction operation to be performed, normalizing the SUB instruction to an ADD instruction, corresponding to a command for an addition operation to be performed, in the target genes.
- system further including: (h) a determining module configured for determining an accurate designation of the target binary file based on the target genes.
- the accurate designation of the target binary file is: (i) malicious based on shared genes in the target genes and the code genome database only found in malicious files; or (ii) benign based on shared genes in the target genes and the code genome database only found in trusted files.
- the determining includes determining the target binary file is associated with at least one malware file family based on families of files that the target binary file shares shared genes with.
- the normalizing includes normalizing multiple code instructions into a single code instruction.
- a non-transitory computer-readable storage medium having computer-readable code embodied on the non-transitory computer-readable storage medium, for genetic malware analysis and classification using code reuse patterns
- the computer-readable code including: (a) program code for, upon receiving a target binary file, disassembling the target binary file into assembly code; (b) program code for extracting individually-identifiable code fragments from the assembly code; (c) program code for normalizing the individually-identifiable code fragments into target genes by: (i) grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment; and (ii) grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction; (d) program code for collating the target genes into a code genome database; and (e) program code for detecting
- the normalizing includes upon detecting a NOP instruction, corresponding to a command for no operation to be performed, removing the NOP instruction from the target genes.
- the normalizing includes upon detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, normalizing the MOV instruction to a PUSH instruction in the target genes.
- the MOV instruction is normalized to the PUSH regardless of whether the MOV instruction and the CALL instruction are consecutive instructions.
- the normalizing includes upon detecting a SUB instruction, corresponding to a command for a subtraction operation to be performed, normalizing the SUB instruction to an ADD instruction, corresponding to a command for an addition operation to be performed, in the target genes.
- the computer-readable code further includes: (f) program code for determining an accurate designation of the target binary file based on the target genes.
- the accurate designation of the target binary file is: (i) malicious based on shared genes in the target genes and the code genome database only found in malicious files; or (ii) benign based on shared genes in the target genes and the code genome database only found in trusted files.
- the determining includes determining the target binary file is associated with at least one malware file family based on families of files that the target binary file shares shared genes with.
- the normalizing includes normalizing multiple code instructions into a single code instruction.
- the present invention relates to methods and systems for genetic malware analysis and classification using code reuse patterns.
- the principles and operation for providing such methods and systems, according to the present invention may be better understood with reference to the accompanying description and the drawings.
- Figure 1A is a simplified flowchart of the major process steps for the gene extraction process, according to embodiments of the present invention.
- the process starts with activation of the gene extraction process upon accessing a target binary file (Step 2 ).
- the binary file is then disassembled into assembly code (Step 4 ).
- Individually identified code fragments are extracted from the assembly code (Step 6 ).
- a normalization process is then performed to produce the genes of assembly code (Step 8 ).
- the genes are finally collated in a code genome database (Step 10 ).
- the normalization process involves two grouping sub-steps.
- the first such sub-step involves grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment.
- the second such sub-step involves grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction.
- the normalization process is based on rules that can support multiple architectures and instruction sets (e.g., x86, x64, ARM, and ARM64) under different operating systems (Windows, Linux, and Android), and even can be effective for non-native, intermediate languages (e.g., .NET, Java, Python, and Visual Basic).
- multiple code instructions can be normalized into a single code instruction.
- Different rules are employed depending on the platform of the target file (i.e., different rules employed for x86, x64, .NET, and Java).
- the code of the target file may typically include an instruction for no operation to be performed (referred to as a NOP instruction).
- NOP instruction an instruction for no operation to be performed
- the system removes the instruction from the normalized code.
- the code of the target file may typically include a MOV instruction to move values to a register before calling a function.
- MOV instruction When such a MOV instruction is detected, the system normalizes the instruction to a PUSH instruction in the normalized code.
- a CALL instruction will jump to the function code and execute it. Such considerations depend on the compilation flags during the process. In order to be flexible, the system detects the genes as identical, even though the assembly is different. In one configuration, in order to send values to a function, the stack is utilized with a PUSH command. In another configuration, a MOV command moves values to registers before calling a function. The system normalizes such MOV commands to PUSH commands.
- Such normalization involves detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register.
- the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, the MOV instruction is normalized to a PUSH instruction in the target genes.
- the system also supports situations in which the MOV and CALL commands are not consecutive instructions with additional instructions interspersed between them. In such a case, the MOV command will be normalized to a PUSH command even though the CALL command doesn't immediately follow the MOV command.
- a SUB instruction i.e., a subtraction command
- an ADD instruction i.e., an addition command
- code reuse is "masked" by such trivial substitutions (i.e., replacing an ADD with a SUB).
- FIG. 1B is a simplified flowchart of the major process steps for genetic malware analysis and classification, according to embodiments of the present invention.
- the process starts when the code of the target binary file is broken into pieces (Step 20 ), which are then normalized into genes (Step 22 ).
- a numeric token is generated for each gene (Step 24 ).
- the numeric token is used to identify the gene in the code genome database (Step 26 ).
- the gene can then be stored in the code genome database (Step 28 ), or used to detect all files and/or code families containing the target gene (Step 30 ).
- the system can determine the accurate designation (e.g., malicious, trusted, or library) of the target file being analyzed based on the total classification of the file's genes (Step 32 ).
- such detecting as in Step 30 involves prioritizing that false-positive matches between the files and/or the code families of the target binary file and the target genes are not detected.
- false-positive matches are exemplified as genericized matches among the target genes which are not related to a shared origin source code.
- FIG 2A is a simplified flowchart of the major process steps for determining whether a target file is benign or malicious based on code reuse, according to embodiments of the present invention.
- the process starts with breaking the code of a target binary file into fragments, and normalizing the fragments into genes (Step 40 ).
- the numeric tokens are then used to search the code genome database for shared genes (Step 42 ).
- the target file is determined to be malicious if it contains shared genes that are only found in malicious files (Step 44 ).
- the target file is determined to be benign if it contains shared genes that are only found in trusted files (Step 46 ).
- FIG. 2B is a simplified flowchart of the major process steps for classifying a target file to a malware family based on code reuse, according to embodiments of the present invention.
- the process similarly starts with breaking the code of a target binary file into fragments, and normalizing the fragments into genes (Step 50 ).
- the numeric tokens are then used to search the code genome database for shared genes (Step 52 ).
- the malware file family (or families) to which the target file belongs to is determined based on the families of files that the target file shares shared genes with (Step 54 ).
Description
- The present invention relates to methods and systems for genetic malware analysis and classification using code reuse patterns.
- Despite the rapid pace of technology in general, few industries today are as dynamic as that of cyber security. Attackers' techniques are constantly evolving, and along with them, the potential threat.
- For security teams, the challenge remains not to keep up, but rather, to outpace them. It is a persistent struggle: a never-ending, record-setting marathon at a constant sprint. Even as security professionals rest, attackers are hard at work. The tools and approaches used must also adapt in order to stay a step ahead in defending their organizations. Malware classification, which encompasses both the identification and attribution of code, has the power to unlock many clues that aid security teams in achieving this.
- Such clues provide a greater understanding of potential adversaries. Going beyond whether code is trustworthy or malicious offers a multifaceted view into attackers' mindsets and ultimately, their goals.
- Yet many security teams stop their line of inquiry once they reach a conclusion about a given file. If the code is trustworthy, no action is required. If the code is malicious, it needs to be mitigated and eradicated as quickly as possible, with recovery of important files occurring in tandem.
- Terminating a process and deleting a file offers zero guarantees and solves no problems in the long term, unfortunately. Today, it's critical (and until now, quite complicated) to both analyze threats as well as fully understand them after the initial breach in an automated way. This is the one way that attackers can be remotely 'interrogated,' enabling security teams to uncover the reasons behind their actions simply rather than remediating and remaining oblivious.
- Standard solutions such as signature based (AV) and behavioral analysis tools (sandboxes, EDR) can be circumvented by threat actors reusing code and assets. Whether legitimate or malicious, nearly every software is composed of previously written code; the key to deeply understanding its nature and origins lies in discovering code that has appeared in previously known software. Reports on malware statistics indicate that there are around 350,000 new samples every day. Attackers reuse their code, composing it differently to create new samples with different hashes. The high number of new files has made it difficult to keep up with the pace.
- In the prior art,
US Patent Publication No. 2014/0068768 recites an apparatus for identifying related code variants may include processing circuitry configured to execute instructions for receiving query binary code, processing the query binary code to generate one or more query code fingerprints comprising compressed representations of respective functional components of the query binary code, comparing the one or more query code fingerprints to at least some reference code fingerprints stored in a database to determine a similarity measure between the one or more query code fingerprints and at least some of the reference code fingerprints, and preparing at least one report based on the similarity measure. -
US Patent Publication No. 2015/0186649 recites systems and methods for generating and applying identification codes or "fingerprints" with respect to software functions contained in executable files. Utilizing such fingerprinting procedures, the function identification codes for known malicious files and/or known benign can be stored in the database. Subsequently, received files can be processed in the same manner and the function identification codes generated for the received files can be compared against the function identification codes for the known malicious files and/or known benign files in the database to determine a level of similarity between the functions of received executable files and those of known categorized executable files in the database. -
US Patent Publication No. 2017/0344352 recites that in a dynamic computing environment, it is a nontrivial task to verify code running in the environment because most approaches to software similarity require extensive and time-consuming analysis of a binary, or the approaches fail to recognize executables that are similar but nonidentical. A biosequence-based method for quantifying similarity of executable binaries is used to identify allowed codes in a real-world multi-user environment. -
US Patent Publication No. 2009/0313700 recites a system and method for generating malware definitions for use in managing malware on a computer, including receipt of a binary file running in system memory; taking a memory dump of the binary file at a time slice and storing the memory dump in a memory dump file; applying a normalization process to the memory dump file, wherein the normalization process alters a collection of data from the memory dump file, resulting in a normalized file; applying a comparison process between the normalized file and each of a plurality of normalized files stored in a database of malware definitions wherein the comparison process produces a comparison value associated with each of the normalized files in the database of malware definitions; and inserting the normalized file into the database of malware definitions, when each of the comparison values satisfies a predetermined criterion. - A publication by Rad entitled, "Metamorphic Virus Variants Classification Using Opcode Frequency Histogram," discloses, in order to prevent detection and evade signature-based scanning methods, which are normally exploited by antivirus softwares, metamorphic viruses use several various obfuscation approaches.
-
US Patent Publication No. 2007/0240217 recites a system and method for detecting malware by modeling the behavior of malware and comparing a suspect executable with the model. Feature elements are extracted from malware-infected applications, groups the feature elements into feature sets, and develops rules describing a malicious probability relationship between the feature elements. - It would be desirable to have methods and systems for genetic malware analysis and classification using code reuse patterns. Such methods and systems would, inter alia, overcome the various limitations mentioned above.
- It is the purpose of the present invention to provide methods and systems for genetic malware analysis and classification using code reuse patterns. The invention is as defined in the appended claims.
- It is noted that the term "exemplary" is used herein to refer to examples of embodiments and/or implementations, and is not meant to necessarily convey a more-desirable use-case. Similarly, the terms "alternative" and "alternatively" are used herein to refer to an example out of an assortment of contemplated embodiments and/or implementations, and is not meant to necessarily convey a more-desirable use-case. Therefore, it is understood from the above that "exemplary" and "alternative" may be applied herein to multiple embodiments and/or implementations. Various combinations of such alternative and/or exemplary embodiments are also contemplated herein.
- Embodiments of the present invention utilize genetic malware analysis which is based on the evolutionary principle that all software, whether legitimate or malicious, is comprised of previously written code. Malware authors leverage code reuse when employing new campaigns. For defenders, this provides critical information for detection, classification, level of sophistication and threat actor capabilities.
- Embodiments of the present invention exploit such aspects by generating a complete mapping of a suspicious file including information about which pieces of code have been seen only in a specific malware family, only in trusted software, or in both malicious and trusted software. In addition, metadata such as who is the vendor who wrote the code, and which versions does the code appear in provide useful information and context regarding the granular assembly-code pieces.
- Moreover, knowing that a piece of code hasn't been seen before, can also indicate the following. If a suspicious file includes a lot of unique code, it might be a sign of a new malware variant, and that might be used as a strong indicator for detecting sophisticated threats. In such cases, the organization's SOC (Security Operation Center) or IR (Incident Response) team knows to place their focus and resources on these pieces of code, in order to determine their meaning.
- Embodiments of the present invention enable security teams to reduce the number of files that need to be manually analyzed, enabling them to focus on the harmful, malicious files, prioritizing actual threats over false positives. Moreover, the ability to index specific malware targeting the organization into the genome database, means security professionals can not only ensure immunity for a single incident, but immune the organization against an adversary entirely. In addition, tracking code reuse in malware, forces the attacker to rewrite their tools and assets, making it much harder to conduct cyber-attacks.
- Embodiments of the present invention enable trusted code to be indexed as well. For example, if proprietary software has code that was never seen before in the genome database, the code can be indexed as trusted. Such code would be visible only to the software's owner.
- Implementations of the present invention dissect any given executable file (e.g., from disk or memory) into tiny pieces of binary code, referred to as genes, and compare the file's genes to a code genome database containing billions of genes from trusted and malicious software.
- Therefore, according to the present invention, there is provided for the first time a method for genetic malware analysis and classification using code reuse patterns, the method including the steps of: (a) upon receiving a target binary file, disassembling the target binary file into assembly code; (b) extracting individually-identifiable code fragments from the assembly code; (c) normalizing the individually-identifiable code fragments into target genes by: (i) grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment; and (ii) grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction; (d) collating the target genes into a code genome database; and (e) detecting all files and/or code families in the code genome database containing the target genes from the target binary file, wherein the step of detecting includes prioritizing that false-positive matches between the files and/or the code families of the target binary file and the target genes are not detected, wherein the false-positive matches are exemplified as genericized matches among the target genes which are not related to a shared origin source code.
- Alternatively, the step of normalizing includes upon detecting a NOP instruction, corresponding to a command for no operation to be performed, removing the NOP instruction from the target genes.
- Alternatively, the step of normalizing includes upon detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, normalizing the MOV instruction to a PUSH instruction in the target genes.
- Most alternatively, the MOV instruction is normalized to the PUSH regardless of whether the MOV instruction and the CALL instruction are consecutive instructions.
- Alternatively, the step of normalizing includes upon detecting a SUB instruction, corresponding to a command for a subtraction operation to be performed, normalizing the SUB instruction to an ADD instruction, corresponding to a command for an addition operation to be performed, in the target genes.
- Alternatively, the method further includes the step of: (f) determining an accurate designation of the target binary file based on the target genes.
- Most alternatively, the accurate designation of the target binary file is: (i) malicious based on shared genes in the target genes and the code genome database only found in malicious files; or (ii) benign based on shared genes in the target genes and the code genome database only found in trusted files.
- Most alternatively, the step of determining includes determining the target binary file is associated with at least one malware file family based on families of files that the target binary file shares shared genes with.
- Alternatively, the step of normalizing includes normalizing multiple code instructions into a single code instruction.
- According to the present invention, there is provided for the first time a system for genetic malware analysis and classification using code reuse patterns, the system including: (a) a CPU for performing computational operations; (b) a memory module for storing data; and (c) a disassembly module configured for, upon receiving a target binary file, disassembling the target binary file into assembly code; (d) an extracting module configured for extracting individually-identifiable code fragments from the assembly code; (e) a normalizing module configured for normalizing the individually-identifiable code fragments into target genes by: (i) grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment; and (ii) grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction; (f) a collating module configured for collating the target genes into a code genome database; and (g) a detecting module for detecting all files and/or code families in the code genome database containing the target genes from the target binary file, wherein the detecting includes prioritizing that false-positive matches between the files and/or the code families of the target binary file and the target genes are not detected, wherein the false-positive matches are exemplified as genericized matches among the target genes which are not related to a shared origin source code.
- Alternatively, the normalizing includes upon detecting a NOP instruction, corresponding to a command for no operation to be performed, removing the NOP instruction from the target genes.
- Alternatively, the normalizing includes upon detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, normalizing the MOV instruction to a PUSH instruction in the target genes.
- Most alternatively, the MOV instruction is normalized to the PUSH regardless of whether the MOV instruction and the CALL instruction are consecutive instructions.
- Alternatively, the normalizing includes upon detecting a SUB instruction, corresponding to a command for a subtraction operation to be performed, normalizing the SUB instruction to an ADD instruction, corresponding to a command for an addition operation to be performed, in the target genes.
- Alternatively, the system further including: (h) a determining module configured for determining an accurate designation of the target binary file based on the target genes.
- Most alternatively, the accurate designation of the target binary file is: (i) malicious based on shared genes in the target genes and the code genome database only found in malicious files; or (ii) benign based on shared genes in the target genes and the code genome database only found in trusted files.
- Most alternatively, the determining includes determining the target binary file is associated with at least one malware file family based on families of files that the target binary file shares shared genes with.
- Alternatively, the normalizing includes normalizing multiple code instructions into a single code instruction.
- According to the present invention, there is provided for the first time a non-transitory computer-readable storage medium, having computer-readable code embodied on the non-transitory computer-readable storage medium, for genetic malware analysis and classification using code reuse patterns, the computer-readable code including: (a) program code for, upon receiving a target binary file, disassembling the target binary file into assembly code; (b) program code for extracting individually-identifiable code fragments from the assembly code; (c) program code for normalizing the individually-identifiable code fragments into target genes by: (i) grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment; and (ii) grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction; (d) program code for collating the target genes into a code genome database; and (e) program code for detecting all files and/or code families in the code genome database containing the target genes from the target binary file, wherein the detecting includes prioritizing that false-positive matches between the files and/or the code families of the target binary file and the target genes are not detected, wherein the false-positive matches are exemplified as genericized matches among the target genes which are not related to a shared origin source code.
- Alternatively, the normalizing includes upon detecting a NOP instruction, corresponding to a command for no operation to be performed, removing the NOP instruction from the target genes.
- Alternatively, the normalizing includes upon detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, normalizing the MOV instruction to a PUSH instruction in the target genes.
- Most alternatively, the MOV instruction is normalized to the PUSH regardless of whether the MOV instruction and the CALL instruction are consecutive instructions.
- Alternatively, the normalizing includes upon detecting a SUB instruction, corresponding to a command for a subtraction operation to be performed, normalizing the SUB instruction to an ADD instruction, corresponding to a command for an addition operation to be performed, in the target genes.
- Alternatively, the computer-readable code further includes: (f) program code for determining an accurate designation of the target binary file based on the target genes.
- Most alternatively, the accurate designation of the target binary file is: (i) malicious based on shared genes in the target genes and the code genome database only found in malicious files; or (ii) benign based on shared genes in the target genes and the code genome database only found in trusted files.
- Most alternatively, the determining includes determining the target binary file is associated with at least one malware file family based on families of files that the target binary file shares shared genes with.
- Alternatively, the normalizing includes normalizing multiple code instructions into a single code instruction.
- These and further embodiments will be apparent from the detailed description and examples that follow.
- The present invention is herein described, by way of example only, with reference to the accompanying drawings, wherein:
-
Figure 1A is a simplified flowchart of the major process steps for the gene extraction process, according to embodiments of the present invention; -
Figure 1B is a simplified flowchart of the major process steps for genetic malware analysis and classification, according to embodiments of the present invention; -
Figure 2A is a simplified flowchart of the major process steps for determining whether a target file is benign or malicious based on code reuse, according to embodiments of the present invention; -
Figure 2B is a simplified flowchart of the major process steps for classifying a target file to a malware family based on code reuse, according to embodiments of the present invention. - The present invention relates to methods and systems for genetic malware analysis and classification using code reuse patterns. The principles and operation for providing such methods and systems, according to the present invention, may be better understood with reference to the accompanying description and the drawings.
- Referring to the drawings,
Figure 1A is a simplified flowchart of the major process steps for the gene extraction process, according to embodiments of the present invention. The process starts with activation of the gene extraction process upon accessing a target binary file (Step 2). The binary file is then disassembled into assembly code (Step 4). Individually identified code fragments are extracted from the assembly code (Step 6). A normalization process is then performed to produce the genes of assembly code (Step 8). The genes are finally collated in a code genome database (Step 10). - The normalization process involves two grouping sub-steps. The first such sub-step involves grouping certain instructions in a given individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in the given individually-identifiable code fragment. The second such sub-step involves grouping certain individually-identifiable code fragments into a unique target gene, of the target genes, that forms at most exclusively only one function code for performing a command instruction.
- The normalization process is based on rules that can support multiple architectures and instruction sets (e.g., x86, x64, ARM, and ARM64) under different operating systems (Windows, Linux, and Android), and even can be effective for non-native, intermediate languages (e.g., .NET, Java, Python, and Visual Basic). In all embodiments herein, multiple code instructions can be normalized into a single code instruction. Different rules are employed depending on the platform of the target file (i.e., different rules employed for x86, x64, .NET, and Java).
- Some exemplary normalization rules include the following. The code of the target file may typically include an instruction for no operation to be performed (referred to as a NOP instruction). When a NOP instruction is detected, the system removes the instruction from the normalized code. The code of the target file may typically include a MOV instruction to move values to a register before calling a function. When such a MOV instruction is detected, the system normalizes the instruction to a PUSH instruction in the normalized code.
- There are many ways for how subroutines receive parameters from their caller, and how they return a result, or call a function (referred to as a "calling convention"). A CALL instruction will jump to the function code and execute it. Such considerations depend on the compilation flags during the process. In order to be flexible, the system detects the genes as identical, even though the assembly is different. In one configuration, in order to send values to a function, the stack is utilized with a PUSH command. In another configuration, a MOV command moves values to registers before calling a function. The system normalizes such MOV commands to PUSH commands.
- Such normalization involves detecting a MOV instruction in a specific individually-identifiable code fragment, corresponding to a command to move values to a register. When the MOV instruction is listed in the specific individually-identifiable code fragment before a CALL instruction, the MOV instruction is normalized to a PUSH instruction in the target genes.
- The system also supports situations in which the MOV and CALL commands are not consecutive instructions with additional instructions interspersed between them. In such a case, the MOV command will be normalized to a PUSH command even though the CALL command doesn't immediately follow the MOV command.
- As another exemplary normalization rule, for some architectures, a SUB instruction (i.e., a subtraction command) is normalized to an ADD instruction (i.e., an addition command). The underlying concept/operation for both commands is the same. In some instances, code reuse is "masked" by such trivial substitutions (i.e., replacing an ADD with a SUB). By applying such a normalization, a broader set of code genes can be categorized and analyzed.
- The motivation for such normalization is the fact that the same source code can produce different assembly code. Without such normalization rules, similar code fragments which might go undetected because they are not an exact match in a one-to-one code comparison. Such an approach needs to balance being flexible in the rules and finding accurate matches (e.g., non-identical assembly code produced from the same source code) in the code genome database, while not making the rules too generic (e.g., matches between two assembly code fragments which are not related to a shared origin source code).
-
Figure 1B is a simplified flowchart of the major process steps for genetic malware analysis and classification, according to embodiments of the present invention. The process starts when the code of the target binary file is broken into pieces (Step 20), which are then normalized into genes (Step 22). A numeric token is generated for each gene (Step 24). The numeric token is used to identify the gene in the code genome database (Step 26). The gene can then be stored in the code genome database (Step 28), or used to detect all files and/or code families containing the target gene (Step 30). Finally, followingStep 30 and/or iterations of the process thereof, the system can determine the accurate designation (e.g., malicious, trusted, or library) of the target file being analyzed based on the total classification of the file's genes (Step 32). - As described above with regard to the motivations for such normalization, and included in all embodiments herein, such detecting as in
Step 30 involves prioritizing that false-positive matches between the files and/or the code families of the target binary file and the target genes are not detected. Such false-positive matches are exemplified as genericized matches among the target genes which are not related to a shared origin source code. -
Figure 2A is a simplified flowchart of the major process steps for determining whether a target file is benign or malicious based on code reuse, according to embodiments of the present invention. The process starts with breaking the code of a target binary file into fragments, and normalizing the fragments into genes (Step 40). The numeric tokens are then used to search the code genome database for shared genes (Step 42). The target file is determined to be malicious if it contains shared genes that are only found in malicious files (Step 44). The target file is determined to be benign if it contains shared genes that are only found in trusted files (Step 46). -
Figure 2B is a simplified flowchart of the major process steps for classifying a target file to a malware family based on code reuse, according to embodiments of the present invention. The process similarly starts with breaking the code of a target binary file into fragments, and normalizing the fragments into genes (Step 50). The numeric tokens are then used to search the code genome database for shared genes (Step 52). The malware file family (or families) to which the target file belongs to is determined based on the families of files that the target file shares shared genes with (Step 54). - While the present invention has been described with respect to a limited number of embodiments, it will be appreciated that many variations, modifications, and other applications of the present invention may be made.
Claims (15)
- A method for genetic malware analysis and classification using code reuse patterns, the method comprising the steps of:(a) upon receiving a target binary file, disassembling said target binary file into assembly code;(b) extracting individually-identifiable code fragments from said assembly code;(c) normalizing said individually-identifiable code fragments by:(i) grouping certain instructions in a given said individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in said given individually-identifiable code fragment; and(ii) grouping certain said individually-identifiable code fragments that form at most exclusively only one function code for performing a given instruction, wherein each grouping of said certain individually-identifiable code fragments is designated as a unique target code gene, and wherein a target code gene is defined as a code reuse pattern classification;(d) collating said target code genes into a code genome database; and(e) detecting all files and/or code families in said code genome database containing said target code genes from said target binary file, wherein said step of detecting includes prioritizing that false-positive matches between said files and/or said code families of said target binary file and said target code genes are not detected, wherein said false-positive matches are exemplified as genericized matches among said target code genes which are not related to a shared origin source code.
- The method of claim 1, wherein said step of normalizing includes upon detecting a MOV instruction in a specific said individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein said MOV instruction is listed in said specific individually-identifiable code fragment before a CALL instruction, normalizing said MOV instruction to a PUSH instruction in said target code genes.
- The method of any one of claims 1 or 2, the method further comprising the step of:(f) determining an accurate designation of said target binary file based on said target code genes.
- The method of claim 3, wherein said accurate designation of said target binary file is:(i) malicious based on shared code genes in said target code genes and said code genome database only found in malicious files; or(ii) benign based on shared code genes in said target code genes and said code genome database only found in trusted files.
- The method of any one of claims 1 to 4, wherein said step of normalizing includes normalizing multiple code instructions into a single code instruction.
- A system for genetic malware analysis and classification using code reuse patterns, the system comprising:(a) a CPU for performing computational operations;(b) a memory for storing data;(c) a disassembly module configured for, upon receiving a target binary file, disassembling said target binary file into assembly code;(d) an extracting module configured for extracting individually-identifiable code fragments from said assembly code;(e) a normalizing module configured for normalizing said individually-identifiable code fragments by:(i) grouping certain instructions in a given said individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in said given individually-identifiable code fragment; and(ii) grouping certain said individually-identifiable code fragments that form at most exclusively only one function code for performing a given instruction, wherein each grouping of said certain individually-identifiable code fragments is designated as a unique target code gene, and wherein a target code gene is defined as a code reuse pattern classification;(f) a collating module for collating said target code genes into a code genome database; and(g) a detecting module for detecting all files and/or code families in said code genome database containing said target code genes from said target binary file, wherein said detecting includes prioritizing that false-positive matches between said files and/or said code families of said target binary file and said target code genes are not detected, wherein said false-positive matches are exemplified as genericized matches among said target code genes which are not related to a shared origin source code.
- The system of claim 6, wherein said normalizing includes upon detecting a MOV instruction in a specific said individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein said MOV instruction is listed in said specific individually-identifiable code fragment before a CALL instruction, normalizing said MOV instruction to a PUSH instruction in said target code genes.
- The system of any one of claims 6 or 7, the system further comprising:(h) a determining module configured for determining an accurate designation of said target binary file based on said target code genes.
- The system of claim 8, wherein said accurate designation of said target binary file is:(i) malicious based on shared code genes in said target code genes and said code genome database only found in malicious files; or(ii) benign based on shared code genes in said target code genes and said code genome database only found in trusted files.
- The system of any one of claims 6 to 9, wherein said normalizing includes normalizing multiple code instructions into a single code instruction.
- A non-transitory computer-readable storage medium, having computer-readable code embodied on the non-transitory computer-readable storage medium, for genetic malware analysis and classification using code reuse patterns, the computer-readable code comprising:(a) program code for, upon receiving a target binary file, disassembling said target binary file into assembly code;(b) program code for extracting individually-identifiable code fragments from said assembly code;(c) program code for normalizing said individually-identifiable code fragments by:(i) grouping certain instructions in a given said individually-identifiable code fragment that produce identical instruction outputs either individually or in conjunction with at least one other instruction in said given individually-identifiable code fragment; and(ii) grouping certain said individually-identifiable code fragments that form at most exclusively only one function code for performing a given instruction, wherein each grouping of said certain individually-identifiable code fragments is designated as a unique target code gene, and wherein a target code gene is defined as a code reuse pattern classification;(d) program code for collating said target code genes into a code genome database; and(e) program code for detecting all files and/or code families in said code genome database containing said target code genes from said target binary file, wherein said detecting includes prioritizing that false-positive matches between said files and/or said code families of said target binary file and said target code genes are not detected, wherein said false-positive matches are exemplified as genericized matches among said target code genes which are not related to a shared origin source code.
- The non-transitory computer-readable storage medium of claim 11, wherein said normalizing includes upon detecting a MOV instruction in a specific said individually-identifiable code fragment, corresponding to a command to move values to a register, and wherein said MOV instruction is listed in said specific individually-identifiable code fragment before a CALL instruction, normalizing said MOV instruction to a PUSH instruction in said target code genes.
- The non-transitory computer-readable storage medium of any one of claims 11 or 12, the computer-readable code further comprising:(f) program code for determining an accurate designation of said target binary file based on said target code genes.
- The non-transitory computer-readable storage medium of claim 13, wherein said accurate designation of said target binary file is:(i) malicious based on shared code genes in said target code genes and said code genome database only found in malicious files; or(ii) benign based on shared code genes in said target code genes and said code genome database only found in trusted files.
- The non-transitory computer-readable storage medium of any one of claims 11 to 14, wherein said normalizing includes normalizing multiple code instructions into a single code instruction.
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/592,791 US10824722B1 (en) | 2019-10-04 | 2019-10-04 | Methods and systems for genetic malware analysis and classification using code reuse patterns |
Publications (3)
Publication Number | Publication Date |
---|---|
EP3800570A1 EP3800570A1 (en) | 2021-04-07 |
EP3800570C0 EP3800570C0 (en) | 2023-06-07 |
EP3800570B1 true EP3800570B1 (en) | 2023-06-07 |
Family
ID=72744664
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP20199874.7A Active EP3800570B1 (en) | 2019-10-04 | 2020-10-02 | Methods and systems for genetic malware analysis and classification using code reuse patterns |
Country Status (2)
Country | Link |
---|---|
US (1) | US10824722B1 (en) |
EP (1) | EP3800570B1 (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3850517A4 (en) | 2018-09-15 | 2022-06-01 | Quantum Star Technologies Inc. | Bit-level data generation and artificial intelligence techniques and architectures for data protection |
KR102308477B1 (en) * | 2020-12-07 | 2021-10-06 | 주식회사 샌즈랩 | Method for Generating Information of Malware Which Describes the Attack Charateristics of the Malware |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8312545B2 (en) * | 2006-04-06 | 2012-11-13 | Juniper Networks, Inc. | Non-signature malware detection system and method for mobile platforms |
US20090313700A1 (en) * | 2008-06-11 | 2009-12-17 | Jefferson Horne | Method and system for generating malware definitions using a comparison of normalized assembly code |
US9003529B2 (en) * | 2012-08-29 | 2015-04-07 | The Johns Hopkins University | Apparatus and method for identifying related code variants in binaries |
US20150186649A1 (en) * | 2013-12-31 | 2015-07-02 | Cincinnati Bell, Inc. | Function Fingerprinting |
US10043009B2 (en) * | 2014-09-24 | 2018-08-07 | Intel Corporation | Technologies for software basic block similarity analysis |
CN107615240B (en) * | 2015-04-17 | 2021-11-02 | 巴特尔纪念研究所 | Biological sequence based scheme for analyzing binary files |
-
2019
- 2019-10-04 US US16/592,791 patent/US10824722B1/en active Active
-
2020
- 2020-10-02 EP EP20199874.7A patent/EP3800570B1/en active Active
Also Published As
Publication number | Publication date |
---|---|
US10824722B1 (en) | 2020-11-03 |
EP3800570C0 (en) | 2023-06-07 |
EP3800570A1 (en) | 2021-04-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Alazab | Profiling and classifying the behavior of malicious codes | |
Chumachenko | Machine learning methods for malware detection and classification | |
US9553889B1 (en) | System and method of detecting malicious files on mobile devices | |
JP5326062B1 (en) | Non-executable file inspection apparatus and method | |
JP5265061B1 (en) | Malicious file inspection apparatus and method | |
US8261344B2 (en) | Method and system for classification of software using characteristics and combinations of such characteristics | |
Vemparala et al. | Malware detection using dynamic birthmarks | |
KR101230271B1 (en) | System and method for detecting malicious code | |
Sihag et al. | BLADE: Robust malware detection against obfuscation in android | |
KR101851233B1 (en) | Apparatus and method for detection of malicious threats included in file, recording medium thereof | |
Zakeri et al. | A static heuristic approach to detecting malware targets | |
Siddiqui | Data mining methods for malware detection | |
Martinelli et al. | I find your behavior disturbing: Static and dynamic app behavioral analysis for detection of android malware | |
EP3800570B1 (en) | Methods and systems for genetic malware analysis and classification using code reuse patterns | |
Poudyal et al. | Analysis of crypto-ransomware using ML-based multi-level profiling | |
Sun et al. | An opcode sequences analysis method for unknown malware detection | |
Mishra | Methods of Virus detection and their limitations | |
O'Kane et al. | N-gram density based malware detection | |
Raymond et al. | Investigation of Android Malware with Machine Learning Classifiers using Enhanced PCA Algorithm. | |
EP3113065B1 (en) | System and method of detecting malicious files on mobile devices | |
Mahawer et al. | Metamorphic malware detection using base malware identification approach | |
Chowdhury et al. | Malware detection for healthcare data security | |
Albishry et al. | An attribute extraction for automated malware attack classification and detection using soft computing techniques | |
Bernardi et al. | Data-aware process discovery for malware detection: an empirical study | |
Bashari Rad et al. | Morphed virus family classification based on opcodes statistical feature using decision tree |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20210412 |
|
RBV | Designated contracting states (corrected) |
Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: G06F 21/56 20130101AFI20220711BHEP |
|
INTG | Intention to grant announced |
Effective date: 20220817 |
|
GRAJ | Information related to disapproval of communication of intention to grant by the applicant or resumption of examination proceedings by the epo deleted |
Free format text: ORIGINAL CODE: EPIDOSDIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
INTC | Intention to grant announced (deleted) | ||
INTG | Intention to grant announced |
Effective date: 20230113 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE PATENT HAS BEEN GRANTED |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP Ref country code: AT Ref legal event code: REF Ref document number: 1577168 Country of ref document: AT Kind code of ref document: T Effective date: 20230615 Ref country code: DE Ref legal event code: R096 Ref document number: 602020011723 Country of ref document: DE |
|
U01 | Request for unitary effect filed |
Effective date: 20230607 |
|
U07 | Unitary effect registered |
Designated state(s): AT BE BG DE DK EE FI FR IT LT LU LV MT NL PT SE SI Effective date: 20230619 |
|
REG | Reference to a national code |
Ref country code: LT Ref legal event code: MG9D |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: NO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230907 Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230607 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: RS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230607 Ref country code: HR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230607 Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230908 |
|
U20 | Renewal fee paid [unitary effect] |
Year of fee payment: 4 Effective date: 20231027 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230607 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20231007 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SM Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230607 Ref country code: SK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230607 Ref country code: RO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230607 Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20231007 Ref country code: CZ Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230607 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230607 |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |